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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 


Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


O Yes 
X No 


If no please explain why and how we could improve this: 


The draft direct marketing Code extends the onus of responsibility for data protection 
between parties - the idea of dual joint controllers in most of the marketing activities, 
where in parties are in fact in the roles of independent controllers. The result is that 
counterparties have to effectively consider liability for the actions of their counterparty, 
whereas in fact they do not have power to do that, since the other party is completely 
and independently taking care about these activities. This leads to a lack of clarity on 
overall responsibility. This is exacerbated where there are two distinct segments in the 
marketing chain - such as social media platforms and the liability of companies using 
such platforms. Further cases such as where parties do not have access to the data of the 
other party, but are both liable for the activities of the other, create demands on each 
party which go against privacy policy (such as data minimization). The issue of look- 
alike” audiences is relevant in this area - i.e. social media platforms take on liability for 
this action currently and extending it to other parties who do not possess the data would 
be a considerable change. 


There are other areas where direct interpretation of the text has led to different opinions 
- such as third party consent and market research. In this instance it is not clear why 
third parties should collect consent of data subjects who are not its customers (when the 
compliance obligations with respect to the data subjects are on the party who is their 
data controller). 


Furthermore, there is a lack of clarity as to what would be a satisfactory check on 
whether a marketing partner was compliant with privacy policy. It does not stipulate what 
is proportionate in regards these checks leaving open the risk to the primary party of 
whether another party’s policies are compliant. It means the primary party becoming 
effectively the regulator of other party with no barometer on where the line of liability 
ends. 


In all these situations we find it essential to first properly recognize roles of the parties. 
In situations where we have two independent controllers it has to be clear that each party 
is responsible for its compliance obligations, and they can not verify or influence other 
party compliance given that here we have completely independent activities and parties 
with equal power. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


O Yes 


No 


If no please explain what changes or improvements you would like to 
see? 


Q3 Does the draft code cover the right issues about direct marketing? 


O Yes 
X No 


If no please outline what additional areas you would like to see 
covered: 


The definition of direct marketing remains the same as DPA 18, but the reference to Vall 
processing activities that lead up to, enable or support sending those communications” 
leaves a spectrum of interpretation on what exactly constitutes those activities. Common 
practices such as data research, segmenting and CRM all underly customer analysis but 
that does not mean they are tied up in direct marketing. The result is that different 
activities may have different legal basis (consent versus legitimate interests) thus making 
it difficult to apply that legal basis to an underlying activity which might give rise to both 
forms. 


This section needs further clarity to avoid trapping many underlaying activities whose 
purpose would not be for direct marketing purposes but may give rise to it later, 
specifically very tangential activities would create grey areas under the reference above. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


Oh Yes 
x No 


If no please outline what additional areas you would like to see covered 


One of the areas where further work is required is the issue of regulatory purpose. The 
Code does make reference to direct marketing obligations being applied to regulatory 
communications. If someone has opted out of direct marketing communications can a 
company then not send a regulatory communication. This could lead to a breach of 
regulatory requirements. 


There is also the cross over in Codes between regulators. The Code on Direct Marketing 
could affect how operators interpret their requirements under their sectorial Codes 
against this Code. The industry has certain customers for which it must meet regulatory 
obligations (self-excluded) for instance. 


Q5 Isit easy to find information in the draft code? 


No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


If yes, please provide your direct marketing examples : 


Q7 


Do you have any other suggestions for the direct marketing code? 


There are a number of areas where the Code could use increased clarity or confirmation. 
These include: 


1. 


Business Contacts data being treated as individual data. Where marketing is directed to a legal 
entity this is exempt under GDPR. Therefore, business marketing should be outside of the 
scope of the Code, with the right of course of business to opt out of such communications. 
Definition of direct marketing should be revised given the practical and legal implications that 
suggested approach could have. 

Data access requests — the Code seems to imply that the all areas where a subject has been 
categorized should be made available to the customer on a access request but this may 
involve areas where personal data was never produced (such as statistical data). 

More clarity on whether certain ads require cookie or marketing consent would be helpful. 
“Presented ads’, done upon log-in, are one example. 


. The Code does not cover incentivization of consent other than stating consent must not be a 


pre-condition for service. 

One area which operators conduct business is with affiliates. While comments have been 
made earlier on joint liability and due diligence, the nature of the requirements for this 
relationship could be better defined. 


. The sector uses profiling to identify and address customer who may be exhibiting a problem. 


This profiling is critical to the obligations of operators pursuant to the sectoral regulator’s LCCP 
Codes. If this requires consent then it could dilute the efforts of operators to perform their 
regulatory duties. 


About you 


Q8 Are you answering as: 


QO An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

L] An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Betting and Gaming Council 


If other please specify: 


O 
O 


How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 
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Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


pe 


Thank you for taking the time to complete the survey 
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